Small providers increasingly likely to be hack targets

Obscurity doesn’t offer protection for practices and hospitals, says Chase Cunningham.


Too many small hospitals and small or mid-sized physician practices believe defending against cyber attacks is pointless and they’re just hoping to be saved by being obscure.

That’s a risky approach, because hackers are not just looking for big targets; rather, they’re setting their sights on easy targets.

Banking on obscurity “is something that’s not going to happen,” says Chase Cunningham, director of cyber threat research and innovation at Armor Defense, which sells a healthcare secure cloud platform.

Small physician practices are at risk for other reasons, Cunningham says. Physicians have other things to worry about, particularly treating patients, and while they likely are aware of HIPAA, many aren’t aware of the severity of current cyber threats.

For smaller healthcare organization that fear a cyber attack but can’t afford to defend against it, there are free open source tools, such as Alien Vault, which monitors networks, as well as basic encryption tools that don’t take a lot of time and expertise to implement.

Having a guest wireless network that is separate from the corporate network, and using two-factor authentication to access information systems, also offers additional protection, Cunningham advises. Two cyber security guides from the National Institute of Standards and Technology—800-53 and 800-71—also can help an organization make improvements in security practices, and they’re aimed at smaller organizations.

Those organizations that are using open source security tools and complying with NIST guidelines to the best of their ability will be “light-years ahead” in being better protected, according to Cunningham.

Also See: Are we winning the cyber war?

Outsourcing the hosting of information systems to a cloud vendor or contracting with a local security firm may be a cost-effective alternative, but there are some core questions to ask, particularly the type of talent on staff, Cunningham says.

Companies employing staff with military intelligence experience is optimal. Ask if the company offers a suite of services or only certain parts, such as security threat management, vulnerability testing, encryption, asset identification and migration practices.

IT executives should do some research on the Internet to learn about best-of-breed technologies and assess if the company has a best-of-breed suite or a product cobbled together with inferior tools. A small organization also should ask about the frequency of employee training, which should be almost constant, and what the turnover rate is.

If employees believe the company is making a difference, they will stay; otherwise, they are out the door in 90 days, Cunningham notes. Searches on LinkedIn can help you find out how long employees have been at the company, or if they have left, how long they were there.

Above all, small organizations should watch out for companies without a lot of human talent and bombastic claims, Cunningham warns. “If they tell you they can do everything with technology, they’re lying.”

More for you

Loading data for hdm_tax_topic #care-team-experience...